Supply Chain Attack Compromises Multiple WordPress Plugins
In a recent supply chain breach, several WordPress plugins developed by ShapedPlugin have been infiltrated. Malefactors gained access to the official release channels and implanted backdoor code within the plugins.
As analyzed by Wordfence, “The attackers compromised the vendor’s build and distribution pipeline, injecting malicious code into Pro plugin releases distributed through official licensed update channels,” highlighting the sophistication of this security breach.
The affected plugins include:
- Product Slider Pro for WooCommerce (versions prior to 3.5.4)
- Real Testimonials Pro (version 3.2.5)
- Smart Post Show Pro (versions prior to 4.0.2)
It is crucial to note that only the Pro versions of these plugins, distributed via the vendor’s Easy Digital Downloads (EDD) infrastructure at account. shapedplugin[.]com is implicated. Free versions available on WordPress.org remain unscathed.
The compromising incident involving Product Slider Pro for WooCommerce has been assigned the CVE identifier CVE-2026-49777, with an alarming CVSS score of 10.0, indicating its maximum severity. Additionally, the overall incident bears the identifier CVE-2026-10735, rated at 9.8 on the CVSS scale.
Wordfence further elucidates that the compromised plugin versions harbor a loader that activates on each admin page, enabling it to retrieve a payload from a remote server (“194.76.217[.]28:2871”), install it, and activate it as a deceptive plugin.
Upon activation, the malware communicates the victim’s domain back to the remote server and subsequently deletes itself, obfuscating any trace of its presence and complicating incident response.
The counterfeit plugin is adept at remaining hidden from the WordPress admin plugin list and possesses the capability to capture credentials and two-factor authentication (2FA) codes in plaintext.
Moreover, it establishes several persistence mechanisms that facilitate arbitrary file writes through a custom REST endpoint when supplied with a specific authentication token, as well as deploying a web shell endowed with command execution capabilities.
Notably, it utilizes a PHP file, “install-persistent.php,” included within the plugin, to extract sensitive information, including:
- The complete contents of wp-config.php, encompassing database credentials, authentication keys, and debug settings
- All administrator accounts along with their registration dates
- Credentials from mail plugins, including WP Mail SMTP, Post SMTP, and Easy WP SMTP
- WooCommerce order data from the preceding three months, detailed by payment method
Once this critical information is collected, the file is purged. Evidence points to this incident being a compromise of the build pipeline rather than direct tampering with the packages.
This attack poses significant risks, as it leaves even legitimate license holders vulnerable to malware when installing updates directly from the vendor’s official update mechanism.
ShapedPlugin has acknowledged the situation and is currently reviewing its distribution and release protocols to safeguard the integrity of its products moving forward.
New versions of the compromised plugins are expected to be launched after thorough security evaluations and validation checks.
Site owners who might have installed the compromised versions are advised to reset all passwords, revoke and regenerate 2FA secrets for every user, scrutinize administrator accounts for any unauthorized additions, and audit mail plugin configurations for any alterations to SMTP credentials.
Source link: Thehackernews.com.
